chore(deps-dev): bump fastmcp from 3.2.4 to 3.4.2

[dependabot]

Bumps fastmcp from 3.2.4 to 3.4.2.

Release notes

Sourced from fastmcp's releases.

v3.4.2: Heads Up

FastMCP 3.4.2 restores JWT compatibility for providers that include private, non-critical JWS header parameters. Tokens from providers like Clerk can carry header metadata such as cat without being rejected before signature and claim validation, while unsupported critical headers are still rejected.

What's Changed

Fixes 🐞

• Allow private JWT headers by @​jlowin in PrefectHQ/fastmcp#4290

Docs 📚

• Docs: add v3.4.1 changelog entries by @​jlowin in PrefectHQ/fastmcp#4289

Full Changelog: PrefectHQ/fastmcp@v3.4.1...v3.4.2

v3.4.1: Floor It

FastMCP 3.4.1 floors Starlette at >=1.0.1 so installs can no longer resolve to a version affected by CVE-2026-48710 — previously the dependency was only constrained transitively through mcp, which allowed vulnerable versions. It also makes OAuthProxy log refresh-token cache misses instead of failing silently.

What's Changed

Enhancements ✨

• Log refresh-token misses in OAuthProxy instead of failing silently by @​jlowin in PrefectHQ/fastmcp#4276

Security 🔒

• Add explicit starlette>=1.0.1 floor (CVE-2026-48710) by @​jlowin in PrefectHQ/fastmcp#4286

Docs 📚

• Document --notes-start-tag in release instructions by @​jlowin in PrefectHQ/fastmcp#4275

Full Changelog: PrefectHQ/fastmcp@v3.4.0...v3.4.1

v3.4.0: Remote Control

FastMCP 3.4 is about reaching servers that live somewhere else. The headline is fastmcp-remote, a standalone bridge that connects stdio-only MCP hosts to servers hosted over HTTP. Around it, this release hardens the proxy layer those remote connections depend on — making bridges fail loudly instead of silently, and keeping authenticated sessions alive across the long idle periods that remote clients are prone to.

fastmcp-remote

Some MCP hosts still insist on launching a local stdio command, even when the server you want is already running over HTTP. FastMCP could already proxy a remote URL through fastmcp run, but that pulls in the full server-runner surface. fastmcp-remote is the small, single-purpose version: one URL in, one local stdio proxy out.

{
  "mcpServers": {
    "linear": {
      "command": "uvx",
      "args": ["fastmcp-remote", "https://mcp.linear.app/mcp"]
    }
  }
}

OAuth is enabled automatically for HTTPS servers, with support for explicit bearer tokens and custom headers when you need them. The implementation stays on FastMCP primitives — Client, OAuth, create_proxy, and stdio — and credits the original npm mcp-remote project for the command shape.

... (truncated)

Commits

• 3b8538e Allow private JWT headers (#4290)
• 0445c31 chore: Update SDK documentation (#4223)
• 9261793 Docs: add v3.4.1 changelog entries (#4289)
• e1b52d0 Add explicit starlette>=1.0.1 floor (CVE-2026-48710) (#4286)
• e58f386 Log refresh-token misses in OAuthProxy instead of failing silently (#4276)
• 3f09c68 Document --notes-start-tag requirement in release instructions (#4275)
• e124bde Fix MDX syntax error in changelog (#4270)
• dae11bb Backfill changelog and updates through v3.4.0 (#4269)
• 0f4f78c Fix resource templates with query params on proxied servers (#4251)
• 1a06130 Fix GitHub MCP resource integration test (#4253)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[bito-code-review]

Code Review Agent Run #f046e5

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: 0ea5911..0ea5911

  • pyproject.toml
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.79%. Comparing base (defacc3) to head (6557e6b).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #41259      +/-   ##
==========================================
- Coverage   64.36%   63.79%   -0.58%     
==========================================
  Files        2653     2653              
  Lines      144867   144867              
  Branches    33421    33421              
==========================================
- Hits        93250    92412     -838     
- Misses      49946    50782     +836     
- Partials     1671     1673       +2     

Flag	Coverage Δ
hive	39.33% <ø> (ø)
mysql	58.05% <ø> (ø)
postgres	58.12% <ø> (-0.01%)	⬇️
presto	40.92% <ø> (ø)
python	58.33% <ø> (-1.24%)	⬇️
sqlite	57.78% <ø> (ø)
unit	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bito-code-review]

Code Review Agent Run #cd9b7d

Actionable Suggestions - 0

Review Details

• Files reviewed - 3 · Commit Range: 0814dd8..6557e6b

  • pyproject.toml
  • requirements/base.txt
  • requirements/development.txt
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by